A new cyberattack, being tracked as FLUX#CONSOLE, exploits user concerns about tax issues to start an exploit that ends with a Windows management console backdoor payload. Here's what you need to know about the attack methodology and mitigation.

Windows phishing attacks are not new. Using tax issues as a lure in such attacks is not new. Even Windows backdoor payloads are, unfortunately, not new. Putting them all together in one attack exploit, however, is far from commonplace. Where the FLUX#CONSOLE campaign breaks relatively unusual ground is, Securonix security researchers Den Luzvyk and Tim Peck, said, in "how the threat actors leverage Microsoft Common Console Document files to deploy a dual-purpose loader and dropper to deliver further malicious payloads."

The key takeaways from the newly published Securonix FLUX#CONSOLE Windows threat campaign analysis included:

The attack likely starts with either a phishing email link or attachment, although the researchers were unable to obtain the original email the nomenclature used in the filenames suggested income tax deduction and rebates as the bait. The threat actors exploited Microsoft Management Console "snap-in files" that are ordinarily used for configuration of administrative tools in Windows; think Event Viewer, Task Scheduler and Device Manager, for example. "When double-clicked," the analysis stated, "an .msc file automatically launches the MMC framework (mmc.exe) and executes the contained instructions." This includes executing arbitrary code without explicit user consent. The researchers said that code execution began when the user double-clicked on a file called "Inside ARRVL-PAX-MNFSTPK284-23NOV.pdf.msc," in the example they quoted, which masquerades as a PDF. This obfuscation was aided by the fact that "the setting for common extension visibility is disabled by default in modern versions of Windows," the researchers said. What's more, that obfuscation runs to avoiding antivirus detection, it would appear, with the malicious file .msc file only scoring "3/62 positive detections according to VirusTotal," at the time of writing, according to the report.

The FLUX#CONSOLE campaign highlights the persistent use of modern obfuscation techniques in malware development, the Securonix analysis concluded, and "serves as a reminder of the evolving tactics employed by threat actors and the growing challenges faced by defenders in mitigating these sophisticated threats."

I have reached out to Microsoft for a statement.

To mitigate the Windows backdoor threat this campaign poses, Securonix recommended users avoid downloading files or attachments from external sources, especially if the source was unsolicited. "As .msc files were leveraged," the researchers said, "look for unusual child processes spawning from the legitimate Windows mmc.exe process." Securonix also strongly recommended the deployment of "robust endpoint logging capabilities to aid in PowerShell detections," including "leveraging additional process-level logging such as Sysmon and PowerShell logging for additional log detection coverage."